Merge pull request #1559 from CVEProject/dr_1542_createOrg_refactor

Resolves #1542

Author: david-rocca

src/controller/registry-org.controller/index.js

@@ -213,41 +213,9 @@ router.post('/registryOrg',
     }
   }
   */
+  mw.useRegistry(),
   mw.validateUser,
   mw.onlySecretariat,
-  body(['short_name']).isString().trim().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
-  body(['long_name']).isString().trim().notEmpty(),
-  body(['cve_program_org_function']).isString().trim().default('CNA'),
-  body(['root_or_tlr']).default(false).isBoolean(),
-  body(['oversees']).default([]).isArray(),
-  body(
-    [
-      'charter_or_scope',
-      'disclosure_policy',
-      'product_list',
-      'reports_to',
-      'contact_info.poc',
-      'contact_info.poc_email',
-      'contact_info.poc_phone',
-      'contact_info.org_email',
-      'contact_info.website'
-    ])
-    .default('')
-    .isString(),
-  body(['authority.active_roles']).optional()
-    .custom(isFlatStringArray)
-    .customSanitizer(toUpperCaseArray)
-    .custom(isOrgRole),
-  body(['soft_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
-  body(['hard_quota']).optional().not().isArray().isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max }).withMessage(errorMsgs.ID_QUOTA),
-  body(['contact_info.additional_contact_users']).optional()
-    .custom(isFlatStringArray),
-  body(['contact_info.admins']).optional()
-    .custom(isFlatStringArray),
-  body(['aliases']).optional()
-    .custom(isFlatStringArray)
-    .customSanitizer(toLowerCaseArray),
-  // TO-DO: validate users here once implemented
   parseError,
   parsePostParams,
   controller.CREATE_ORG

src/controller/registry-org.controller/registry-org.controller.js

@@ -1,4 +1,5 @@
 const argon2 = require('argon2')
+const mongoose = require('mongoose')
 const uuid = require('uuid')
 const logger = require('../../middleware/logger')
 const { getConstants } = require('../../constants')
@@ -89,110 +90,68 @@ async function getOrg (req, res, next) {
 
 async function createOrg (req, res, next) {
   try {
-    const CONSTANTS = getConstants()
-    const userRepo = req.ctx.repositories.getRegistryUserRepository()
-    const registryOrgRepo = req.ctx.repositories.getRegistryOrgRepository()
+    const session = await mongoose.startSession()
+    const repo = req.ctx.repositories.getBaseOrgRepository()
     const body = req.ctx.body
+    let createdOrg
 
-    // Short circuit if UUID provided
-    const bodyKeys = Object.keys(body).map(k => k.toLowerCase())
-    if (bodyKeys.includes('uuid')) {
+    // Do not allow the user to pass in a UUID
+    if ((body?.UUID ?? null) || (body?.uuid ?? null)) {
       return res.status(400).json(error.uuidProvided('org'))
     }
 
-    const newOrg = new RegistryOrg()
-    bodyKeys.forEach(k => {
-      if (k === 'long_name') {
-        newOrg.long_name = body[k]
-      } else if (k === 'short_name') {
-        newOrg.short_name = body[k]
-      } else if (k === 'aliases') {
-        newOrg.aliases = [...new Set(body[k])]
-      } else if (k === 'cve_program_org_function') {
-        newOrg.cve_program_org_function = body[k]
-      } else if (k === 'authority') {
-        if ('active_roles' in body[k]) {
-          newOrg.authority.active_roles = [...new Set(body[k].active_roles)]
-        }
-      } else if (k === 'reports_to') {
-        // TODO: org check logic?
-      } else if (k === 'oversees') {
-        // TODO: org check logic?
-      } else if (k === 'root_or_tlr') {
-        newOrg.root_or_tlr = body[k]
-      } else if (k === 'users') {
-        // TODO: users logic?
-      } else if (k === 'charter_or_scope') {
-        newOrg.charter_or_scope = body[k]
-      } else if (k === 'disclosure_policy') {
-        newOrg.disclosure_policy = body[k]
-      } else if (k === 'product_list') {
-        newOrg.product_list = body[k]
-      } else if (k === 'soft_quota') {
-        newOrg.soft_quota = body[k]
-      } else if (k === 'hard_quota') {
-        newOrg.hard_quota = body[k]
-      } else if (k === 'contact_info') {
-        const { additionalContactUsers, admins, ...contactInfo } = body[k]
-        newOrg.contact_info = {
-          additional_contact_users: [...(additionalContactUsers || [])],
-          poc: '',
-          poc_email: '',
-          poc_phone: '',
-          admins: [...(admins || [])],
-          org_email: '',
-          website: '',
-          ...contactInfo
-        }
+    try {
+      session.startTransaction()
+      const result = repo.validateOrg(req.ctx.body, { session })
+      if (!result.isValid) {
+        logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))
+        await session.abortTransaction()
+
+        // TODO: Investigate this, right now we are accepting either a one one-dimensional array of strings or just a string.
+        // However, we are taking the "highest" authority
+        //
+        //
+        // if (!Array.isArray(body?.authority) || body?.authority.some(item => typeof item !== 'string')) {
+        //   return res.status(400).json({ message: 'Parameters were invalid', details: [{ param: 'authority', msg: 'Parameter must be a one-dimensional array of strings' }] })
+        // }
+        return res.status(400).json({ message: 'Parameters were invalid', errors: result.errors })
       }
-    })
 
-    const doesExist = await registryOrgRepo.findOneByShortName(newOrg.short_name)
-    if (doesExist) {
-      logger.info({ uuid: req.ctx.uuid, message: newOrg.short_name + ' organization was not created because it already exists.' })
-      return res.status(400).json(error.orgExists(newOrg.short_name))
-    }
+      // Check for duplicate short_name
+      if (await repo.orgExists(body?.short_name, { session })) {
+        logger.info({
+          uuid: req.ctx.uuid,
+          message: `${body?.short_name} organization was not created because it already exists.`
+        })
+        await session.abortTransaction()
+        return res.status(400).json(error.orgExists(body?.short_name))
+      }
 
-    if (newOrg.reports_to === undefined) {
-      // TODO: This may need to be set to mitre, will ask the awg
-      newOrg.reports_to = null
-    }
-    if (newOrg.root_or_tlr === undefined) {
-      newOrg.root_or_tlr = false
-    }
-    if (newOrg.soft_quota === undefined) { // set to default quota if none is specified
-      newOrg.soft_quota = CONSTANTS.DEFAULT_ID_QUOTA
-    }
-    if (newOrg.hard_quota === undefined) { // set to default quota if none is specified
-      newOrg.hard_quota = CONSTANTS.DEFAULT_ID_QUOTA
-    }
-    if (newOrg.authority.active_roles.length === 1 && newOrg.authority.active_roles[0] === 'ADP') { // ADPs have quota of 0
-      newOrg.soft_quota = 0
-      newOrg.hard_quota = 0
-    }
+      // Create the org – repo.createOrg will handle field mapping
+      createdOrg = await repo.createOrg(body, { session, upsert: true })
 
-    newOrg.in_use = false
-    newOrg.UUID = uuid.v4()
+      await session.commitTransaction()
+    } catch (createErr) {
+      await session.abortTransaction()
+      throw createErr
+    } finally {
+      await session.endSession()
+    }
 
-    await registryOrgRepo.updateByUUID(newOrg.UUID, newOrg, { upsert: true })
-    const agt = setAggregateOrgObj({ UUID: newOrg.UUID })
-    let result = await registryOrgRepo.aggregate(agt)
-    result = result.length > 0 ? result[0] : null
+    const responseMessage = {
+      message: `${body?.short_name} organization was successfully created.`,
+      created: createdOrg
+    }
 
     const payload = {
-      action: 'create_registry_org',
-      change: result.short_name + ' was successfully created.',
+      action: 'create_org',
+      change: `${body?.short_name} organization was successfully created.`,
       req_UUID: req.ctx.uuid,
-      org_UUID: await registryOrgRepo.getOrgUUID(req.ctx.org),
-      org: result
+      org_UUID: createdOrg.UUID,
+      org: createdOrg
     }
-    payload.user_UUID = await userRepo.getUserUUID(req.ctx.user, payload.org_UUID)
-    logger.info(JSON.stringify(payload))
 
-    const responseMessage = {
-      message: result.short_name + ' was successfully created.',
-      created: result
-    }
+    logger.info(JSON.stringify(payload))
     return res.status(200).json(responseMessage)
   } catch (err) {
     next(err)

src/repositories/baseOrgRepository.js

@@ -407,16 +407,29 @@ class BaseOrgRepository extends BaseRepository {
 
   validateOrg (org) {
     let validateObject = {}
-
-    if (org.authority === 'ADP') {
-      validateObject = ADPOrgModel.validateOrg(org)
-    }
-    if (org.authority === 'SECRETARIAT') {
-      validateObject = SecretariatOrgModel.validateOrg(org)
-    }
-    // We will default to CNA if a type is not given
-    if (org.authority === 'CNA' || !org.authority) {
-      validateObject = CNAOrgModel.validateOrg(org)
+    if (Array.isArray(org.authority)) {
+      // User passed in an array, we need to decide how we handle this.
+      if (org.authority.includes('SECRETARIAT')) {
+        org.authority = 'SECRETARIAT'
+        validateObject = SecretariatOrgModel.validateOrg(org)
+      } else {
+        // We are not a secretariat, so we need to take most priv
+        if (org.authority.includes('CNA') || org.authority.length === 0) {
+          org.authority = 'CNA'
+          validateObject = CNAOrgModel.validateOrg(org)
+        }
+      }
+    } else {
+      if (org.authority === 'ADP') {
+        validateObject = ADPOrgModel.validateOrg(org)
+      }
+      if (org.authority === 'SECRETARIAT') {
+        validateObject = SecretariatOrgModel.validateOrg(org)
+      }
+      // We will default to CNA if a type is not given
+      if (org.authority === 'CNA' || !org.authority) {
+        validateObject = CNAOrgModel.validateOrg(org)
+      }
     }
 
     return validateObject